"Let's Encrypt" is the project bringing free and easy to use encryption to the masses.s With "Let's Encrypt" everyone can get an SSL certificate for their sites or services such as mail and ftp for free, forever! The service lowers the barrier to SSL adoption by, not only making it easy to get a free SSL certificate, but also making it easy to install and renew your certificates. So how does one install and use "Let's Encrypt"?
First you need to install the "Let's Encrypt" scripts and support utilities. Since it is mainly made of python scripts, the current way to install "Let's Encrypt" is to download the source code from its git repository.
Git is a distributed version control system but that is another story. To install git on Ubuntu run
"sudo apt-get install git"
on the command line. Once git is installed "Let's Encrypt" can be installed with
"git clone https://github.com/letsencrypt/letsencrypt"
Git will go off and pull down the "Let's Encrypt" scripts into a folder called "letsencrypt" in your current working directory. In time I am sure your favourite Linux distribution will bundle "Let's Encrypt" as part of its support software and could then be installed with "apt-get install letsencrypt".
The one advantage of using the scripts directly from source is that you can get the latest updates via running "git clone" in the letsencrypt directory.
So how does one actually get a certificate? First you need to change into the letsencrypt directory with
The commands which we will run will use the "letsencypt-auto" script which wraps the real functionality of "Let's Encrypt" with some checks for python support, the latest version of the letsencrypt source and if you system is up-to-date. (I think it does a little too much to be honest.).
Domain ownership verification
Before we generate a certificate signing request, and retrieve a signed certificate, it would be helpful to understand how "Let's Encrypt" verifies if you are the owner of the domain you are trying to generate a certificate for! To do this "Let's Encrypt" will create a marker file, or challenge response, in the document root of the domain you are trying to register and then see if it can retrieve the file via http using the domain name you are registering with.
There are three plugins so far for doing this.
- apache/nginx -> which will make use of an existing apache or nginx install to do the verification. I haven't tested this myself with virtual hosts but I doubt it will work with them as it will need to find the correct DocumentRoot to write to. But don't worry if you use virtual hosting - see "webroot" plugin below. What’s nice about this module is that it will also configure apache and nginx to use the certs automatically for you. Nice and simple
- standalone -> Is to be used if you don't have a web server running but need one temporarily for the registration process. This will fire up a web server to answer the challenge and shut it down after verification is complete. Great for getting SSL certs on your mail or ftp servers. If you are running something on port 80 with this module you will first need to shut-down the service holding the port.
- webroot -> This is the best option for a virtual host environment. Essentially you tell letsencrypt where the web roots are for your domains to place it marker files.
So time to generate a private key, generate a public certificate signing request and submit it for signing. The command will take the following form:
letsencrypt-auto --<module name> [-module options]* -d <domain name>
All plugins share the following arguments:
- -d -> the domain name to create the SSL cert for. You can request multiple domain names by stringing as many -d <domain name> together as you want. These will all be added to one certificate.
Now for the module specific options:
letsencrypt-auto --apache -d cybersecurity.joburg -d www.cybersecurity.joburg
letsencrypt-auto --standalone -d cybersecurity.joburg' -d www.cybersecurity.joburg
letsencrypt-auto ---webroot -w /var/www/cybersecurity -d cybersecurity.joburg -d www.cybersecurity.joburg
You can also specify multiple document roots with webroot e.g.
letsencrypt-auto --webroot -w /var/www/cybersecurity.joburg -d cybersecurity.joburg -w /var/www/cybersecurity.durban -d cybersecurity.durban
If you are using the standalone or webroot plugins you will have to configure your service to refer to the certificates to start using them. The certificates are located under /etc/letsencrypt/live which is a sym link to the latest version of the certs.
Your service will need to link in:
- your signed cert (cert.pem),
- your private key (privkey.pem),
- the certificate bundle which includes the root CA public cert and its intermediate certs (chain.pem)
So for apache this would mean editing the following line in your virtual host settings i
<virtual-host *:443> SSLCertificateFile /etc/letsencrypt/live/linuxcertifcation.co.za/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/linuxcertifcation.co.za/privkey.pem SSLCACertificateFile /etc/letsencrypt/live/linuxcertifcation.co.za/chain.pem
The certificate are valid for 3 months only. After getting over this you soon find out its not as bad as it sounds since renewing the certificates is trivial. All you need to do is run the command
To automate this you can place the command in your cron tab file to run once a week. The command "letsencrypt renew" will attempt to renew a certificate that is bound to expire in 30 days or less. So running it once a week should be sufficient to make sure you never end up with an expired certificate.
The documentation for "Let's Encrypt" is not great but will hopefully improve in time as the project gets more widely adopted. The other con is that "Let's Encrypt" does not support wildcard certificates.
With "Let's Encrypt" finally we can get wide spread adoption of secure, encrypted communications.